Criminals, Nation-States Keep Hijacking BGP and DNS

The internet is composed of a series of networks built on trust. Unfortunately, that trust can be abused due to weaknesses in older protocols, such as Border Gateway Protocol and the Domain Name System, which were never designed with security in mind.

BGP distributes routing information, enabling routers to connect users with specific IP address prefixes. DNS works like a phone book, translating text into IP addresses. And both are being exploited by criminal gangs and nation-state actors (see: St. Louis Fed Confirms DNS Hijacking).

"BGP and DNS are the soft underbelly of the web," says Alan Woodward, a professor of computer science at the University of Surrey. "BGP is totally based upon trust at present, and if that is broken - by mistake or deliberately - then routing can be subverted. There are initiatives to try to secure BGP, such as Secure Inter-Domain Routing, but they will take a long time to be universal."

Secure Inter-Domain Routing is an Internet Engineering Task Force initiative to create infrastructure that it says would allow an entity "to verifiably assert that it is the legitimate holder of a set of IP addresses or a set of Autonomous System (AS) numbers."

Until fixes for exploitable protocols are in place, expect criminals to keep calling.

Last November, an apparent BGP hijack made Google's internet traffic route via internet service providers in Nigeria, Russia and China, any of which could have eavesdropped on it. But Nigerian ISP MainOne quickly took the blame, saying the rerouting was due to it making an inadvertent BGP routing error (see: Who Hijacked Google's Web Traffic?).

"I hope this latest fiasco of traffic rerouting through China is the wake-up call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today's BGP routing architecture," Rob Joyce, the U.S. National Security Agency's senior adviser for cybersecurity strategy to the director, said via Twitter at the time.

The same month, the Australian government discovered that all traffic going to its
Department of Defense websites was flowing through several of China Telecom's data centers, taking a path it wasn't meant to follow, in what may have been a case of BGP hacking. While it's not clear what happened, the inappropriate BGP routing lasted for nearly 30 months (see: Did China Spy on Australian Defense Websites?).

Cyber Espionage Campaign

DNS is also being abused for cyber espionage. In November 2018, Crowdstrike said it had spotted such a campaign targeting government domains in Lebanon and the United Arab Emirates. "We are naming it DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure," Crowdstrike said.

In January, FireEye documented a global DNS hijacking campaign "that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America," possibly sponsored by Iran.

Woodward says that's a problem with BGP hijacking as well. While large, well-resourced organizations may quickly spot any such hijacking, service providers in small countries may not.

Domain Hijacking Defenses

Fixes for the security shortfalls in current BGP and DNS protocols exist, including Secure Inter-Domain Routing. But many organizations have yet to adopt them.

To block domain hijacking, organizations can adopt Domain Name System Security Extensions, or DNSSEC, which is an IETF suite of specifications designed to cryptographically sign data to verify that DNS data is valid. It also helps lock down account access and prohibits changes to a site's DNS settings by anyone who is not on a list of authorized users (see: Secure Domains: The DNS Security Debate).

"Many organizations have not protected their zones with DNSSEC because historically there has been a perception that it was difficult to implement and required a tradeoff in functionality," says Jonathan Sullivan, CTO of NS1, an intelligent DNS and internet traffic management technology company based in New York. "We know now with modern DNS this is not the case, but until this perception changes, organizations continue to prioritize the need for optimal performance over security, neglecting DNSSEC implementation."

Slow BGP Fix Adoption

To fix BGP, Sullivan says the security industry needs to bring authentication to bear on every layer of the internet.

To do that, he says organizations should primarily look to two protocols: Resource Public Key Infrastructure and BGPSec.

"RPKI provides a secure way to connect internet number resource information, such as IP addresses, to a trust anchor, and it ensures that updates are secure and authentic," he says. "BGPsec extends the RPKI by adding an additional BGPSec router certificate that binds public and corresponding private keys to validate and protect the routing path."

Both would be helpful for better securing internet users, but adoption has been tepid, he says, because they're only effective once adoption reaches critical mass. "I don't expect RPKI and BGPsec will see wide adoption until there's a seismic event - such as one with major financial damages or government or political implications. But once we reach critical mass, the benefits will be far reaching."

Organizations have also shied away from adopting the technology because it will require additional investment.

"In many cases, the hardware simply cannot support it, and replacing it for the new capabilities can be extremely costly. Consider the magnitude of replacing the majority of major ISP and NSP routers installed before 2010," Sullivan tells Information Security Media Group.

Pending some major catastrophe that drives a sudden rush of adoption, Sullivan says these factors appear unlikely to change soon. "As BGP hijacking attacks increase in volume and scope, so will the incentive to implement authentication-based routing protocols," he says.

"Unfortunately, it is the network services providers who must take action, not the attack victims," he adds. "I hope we will see some sort of industrywide drive to improve BGP security. This could be in the form of regulations and mandates or it could be that users - those who are the intended targets of these attacks - start requiring RPKI and BGPsec from ISPs, much like government agencies require DNSSEC from their providers."

NIST Issues Guidance

Last year, the U.S. National Institute for Standards and Technology announced a proposed project to test RPKI and BGP Origin Validation, which resulted in the release of guidance to "address and resolve the erroneous exchange of network routes."

In June 2018, Andreas Reuter, an internet backbone security researcher, ran tests on behalf of APNIC, the regional internet registry administering IP addresses for the Asia Pacific. He found that adoption of Route Origin Validation was "expectedly bleak," counting only a few dozen network domains - specifically, autonomous systems - that had adopted it.

UK Active Cyber Defense

Other government-led efforts are underway to fix vulnerable internet protocols.

"We're currently working with the U.K. telecommunications industry to stop the well-known abuse of the BGP and SS7 protocols to reroute traffic," Ciaran Martin, chief of the National Cyber Security Center, the public-facing component of intelligence agency GCHQ, said in 2016.

"This is about changing the implementation of [BGP], the protocol used to sort out IP routing between carriers, and SS7, the international telecoms signaling protocol, so that we can stop trivial re-routing of U.K. traffic and make some more bold statements," said Ian Levy, NCSC's technical director. "If the BGP work succeeds, we should be able to say that hijacking a U.K. prefix by BGP is harder."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.